Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d9dcfa1d4712658…

MALICIOUS

PDF

32.0 KB Created: 2020-11-02 11:05:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7aade42675724611564ab34a7066ebde SHA-1: 9df32c389f103a620d93f6e2481d242beffbb3b6 SHA-256: 3d9dcfa1d471265880fb9bfa78e13a50d86cf144468e637c61e6c9b044bccaae
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by an ML classifier and contains a link to known malicious redirector infrastructure. The embedded URL, https://ttraff.me/123?keyword=5th+grade+supplies, is the primary indicator of malicious intent, likely leading to a phishing or malware download site. No scripts were extracted, but the presence of a malicious URL in a PDF is a strong indicator of a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=5th+grade+supplies
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wuzalugiseto/diaphragm_breathing_exercise.pdf
    • https://s3.amazonaws.com/vezosoluvezoj/areas_de_brodmann_slideshare.pdf
    • https://s3.amazonaws.com/jubiferekaka/10557110340.pdf
    • https://s3.amazonaws.com/gewuwasi/xameraxu.pdf
    • https://s3.amazonaws.com/fekaduvopigab/bedajemisubap.pdf
    • https://uploads.strikinglycdn.com/files/595f1a2f-30e8-42e0-ba13-21925d0aa621/manual_cigarette_roller.pdf
    • https://s3.amazonaws.com/napisakaluja/plemmons_student_union_food.pdf
    • https://cdn.shopify.com/s/files/1/0436/1610/8701/files/48314237021.pdf
    • https://uploads.strikinglycdn.com/files/e041c929-5b49-4eaa-8c19-43b44e8fc2f9/biwegudozikajogor.pdf
    • https://uploads.strikinglycdn.com/files/ac735fc8-87b6-4b17-84bf-1b8d579f7c3b/curly_girl_method_dandruff.pdf
    • https://uploads.strikinglycdn.com/files/0aaad314-1ccc-4ef2-8089-057ac6f8ede6/juzusatexufim.pdf
    • https://uploads.strikinglycdn.com/files/d0d07269-1c84-4b58-98da-690b86986d6d/pupisuwibixekoseki.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067a2.bin
75da4d9c3cdbe73ac647ee7c7a483c171d2a87793d3de8b9411dc8cf8025b2ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67A2 5252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.